Beware PowerSniff! Malware uses Word macros and PowerShell scripts

An ongoing spam campaign is serving up malicious macro documents that execute PowerShell scripts and inject malware directly into memory of the victim’s computer.

Josh Grunzweig and Brandon Levene, threat researchers at Palo Alto Networks, explain in a blog post that the malware, which they have dubbed “PowerSniff,” arrives in a user’s inbox as a malicious Word document attached to a spear phishing email targeting the victim’s company.

If the attachment is launched, a malicious macro will attempt to execute as soon as the document opens, or it will prompt the user to enable macros before proceeding.

Successful execution paves the road for the macro to open a secret instance of powershell.exe that contains the following arguments (with URLs removed):

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden –noprofile

Once it has figured out whether it is running on a 32- or 64-bit instance of Microsoft Windows, the malware downloads a PowerShell script that contains a shellcode.

Once executed, that shellcode decrypts itself and in turn executes its malware payload.

At this point in time, the malware performs a series of actions to gather more information about the machine on which it is running. For instance, it scans for usernames like “MALWARE” and “VIRUS” as well as a number of libraries to determine whether it is running in a virtualized environment or sandbox.

This is clearly an attempt to avoid analysis by anti-virus researchers.

PowerSniff also checks for the absence of the strings “TEACHER,” “STUDENT,” “SCHOOLBOARD,” “PEDIATRICS,” and “ORTHOPED” but actively looks for the presence of “POS,” “STORE,” “SHOP,” and “SALE.”

Grunzweig and Levene have shared their theories as to why the malware behaves in this way:

“As a summary to these checks, it would appear as though this malware is attempting to actively avoid healthcare and education machines, as well as target point of sale instances and machines that conduct financial transactions. Similar techniques were witnessed in a malware family named ‘Ursnif’ in mid-2015.”

The malware ultimately relays information it has gathered back to one of its command and control (C&C) servers. If the target machine is deemed to be of some interest, the server responds with a DLL that is temporarily written to the disk at %%userprofile%%\\AppData\\LocalLow\\[random].db and which is then executed using a call to rundll32.exe.

Currently, the vast majority of users affected by PowerSniff and this spam campaign are based in the United States. However, this threat campaign could feasibly expand to other locations around the world.

With that in mind, it is important that network defenders familiarize themselves with how attackers can write malware directly to the Windows Registry while bypassing the hard drive.

As for ordinary users, it’s a good idea to be wary of opening unsolicited attachments, keep macros disabled, and to be suspicious of any document from an unknown sender that tries to convince you to enable the execution of macros.

‘This’ is the keyword. That point is something too many Linux users ignore. And it’s not restricted to Ubuntu. I (and many others) could easily write malicious scripts (as in csh, ksh, tcsh, bash, list goes on but I only refer to those because they are shells; this isn’t restricted to shell scripts) all of which could do enormous harm even if run unprivileged. Linux isn’t immune to malicious scripts or executables, libraries or anything else. You’re lying to yourself and you’re playing a dangerous game by believing (if that is indeed what you’re suggesting) you’re not at risk; everyone is at risk - especially those who believe they aren’t at risk.

Why does a document need to run macros, especially one that can open a powershell and run a script? This is a problem in Adobe Reader as well. Would they ever say “This was a bad idea. We are removing the capability entirely. Documents will just have to be documents.”. Hell no. They will add another layer of complexity, such as macro signing. This will result in confusion (and probably expense) regarding credentials and users will become used to clicking the “run anyway” button all the time just to read their day to day documents. Oh, and also the “improved” security will have exploitable bugs, too. And the cycle continues. When will we learn?

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!